Escolar Documentos
Profissional Documentos
Cultura Documentos
Management
Ref.
Management Criteria
1.0
The entity defines, documents, communicates, and assigns accountability for its privacy policies and
procedures.
Policies and Communications
1.1
1.1.0
Privacy Policies
The entity defines and documents its
privacy policies with respect to the
following:
a. Notice (See 2.1.0)
b. Choice and consent (See 3.1.0)
c. Collection (See 4.1.0)
d. Use, retention, and disposal (See
5.1.0)
e. Access (See 6.1.0)
f. Disclosure to third parties (See
7.1.0)
g. Security for privacy (See 8.1.0)
h. Quality (See 9.1.0)
i. Monitoring and enforcement (See
10.1.0)
1.1.1
Communication to Internal
Personnel
Privacy policies and the consequences
of noncompliance with such policies
are communicated, at least annually,
to the entitys internal personnel
The entity
periodically communicates to
internal personnel (for example,
on a network or a Web site)
relevant information about the
entitys privacy policies. Changes
Additional Considerations
Ref.
Management Criteria
responsible for collecting, using,
retaining, and disclosing personal
information. Changes in privacy
policies are communicated to such
personnel shortly after the changes
are approved.
1.1.2
Additional Considerations
Ref.
Management Criteria
Additional Considerations
1.2.2
1.2.3
Personal Information
Identification and Classification
The types of personal information and
sensitive personal information and
Ref.
Management Criteria
1.2.4
Risk Assessment
A risk assessment process is used to
establish a risk baseline and to, at
least annually, identify new or
changed risks to personal information
and to develop and update responses
to such risks.
Additional Considerations
Ref.
Management Criteria
1.2.5
1.2.6
Additional Considerations
Ref.
Management Criteria
process and system test and
development is prohibited unless such
information is anonymized or
otherwise protected in accordance
with the entitys privacy policies and
procedures.
Additional Considerations
Ref.
Management Criteria
Additional Considerations
Ref.
Management Criteria
Additional Considerations
Ref.
Management Criteria
Additional Considerations
Ref.
Management Criteria
1.2.8
Supporting Resources
Resources are provided by the entity
to implement and support its privacy
policies.
1.2.9
Qualifications of Internal
Personnel
The entity establishes qualifications
for personnel responsible for
protecting the privacy and security of
personal information and assigns such
responsibilities only to those
personnel who meet these
qualifications and have received
needed training.
1.2.10
Additional Considerations
Ref.
Management Criteria
Additional Considerations
Ref.
Management Criteria
service-level agreements
Industry requirements
Business operations and
processes
People, roles, and
responsibilities
Technology
Privacy policies and procedures are
updated to reflect changes in
requirements.
Additional Considerations
Copyright 2009 by
American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants.
All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of
professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting
permission to make copies of any part of this work, please visit www.copyright.com or call (978) 750-8400.
Notice
Ref.
2.0
2.1
2.1.0
2.1.1
Notice Criteria
Additional Considerations
The entity provides notice about its privacy policies and procedures and identifies the purposes for which
personal information is collected, used, retained, and disclosed.
Policies and Communications
Privacy Policies
The entitys privacy policies address
providing notice to individuals.
Communication to Individuals
Notice is provided to individuals
regarding the following privacy
policies:
a. Purpose for collecting personal
information
b. Choice and consent
(See 3.1.1)
c. Collection (See 4.1.1)
d. Use, retention, and disposal
(See 5.1.1)
e. Access (See 6.1.1)
f. Disclosure to third parties (See
7.1.1)
g. Security for privacy (See 8.1.1)
h. Quality (See 9.1.1)
i. Monitoring and enforcement (See
10.1.1)
If personal information is collected
from sources other than the
individual, such sources are described
in the notice.
Ref.
Notice Criteria
2.2
2.2.1
Additional Considerations
Ref.
Notice Criteria
2.2.2
Additional Considerations
Ref.
Notice Criteria
Additional Considerations
contain.
Illustrative notices are often available
for certain industries and types of
collection, use, retention, and
disclosure.
Copyright 2009 by
American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants.
All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of
professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting
permission to make copies of any part of this work, please visit www.copyright.com or call (978) 750-8400.
3.1.1
Additional Considerations
The entity describes the choices available to the individual and obtains implicit or explicit consent with respect
to the collection, use, and disclosure of personal information.
Policies and Communications
Privacy Policies
The entitys privacy policies address
the choices available to individuals
and the consent to be obtained.
Communication to Individuals
Individuals are informed about (a)
the choices available to them with
respect to the collection, use, and
disclosure of personal information,
and (b) that implicit or explicit
consent is required to collect, use,
and disclose personal information,
unless a law or regulation specifically
requires or allows otherwise.
Ref.
Consequences of Denying or
Withdrawing Consent
When personal information is
collected, individuals are informed of
the consequences of refusing to
provide personal information or of
denying or withdrawing consent to
use personal information for purposes
identified in the notice.
Additional Considerations
Ref.
3.2
3.2.1
3.2.2
Additional Considerations
Ref.
3.2.3
Additional Considerations
Ref.
3.2.4
Additional Considerations
Consideration should be given to
prevent or detect the introduction of
software that is designed to mine or
extract information from a computer
or other similar electronic device and
therefore may be used to extract
personal information, for example,
spyware.
Copyright 2009 by
American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants.
All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of
professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting
permission to make copies of any part of this work, please visit www.copyright.com or call (978) 750-8400.
Collection
Ref.
Collection Criteria
Additional Considerations
4.0
4.1
4.1.0
The entity collects personal information only for the purposes identified in the notice.
Policies and Communications
Privacy Policies
Some jurisdictions, such as some
The entitys privacy policies address
countries in Europe, require entities
the collection of personal information.
that collect personal information to
register with their regulatory body.
4.1.1
Communication to Individuals
Individuals are informed that personal
information is collected only for the
purposes identified in the notice.
4.1.2
Ref.
Collection Criteria
4.2
4.2.1
Additional Considerations
Ref.
Collection Criteria
4.2.1
4.2.2
Additional Considerations
Ref.
Collection Criteria
Additional Considerations
The entity
performs due diligence before
establishing a relationship with a
third-party data provider.
reviews the privacy policies,
collection methods, and types of
consents of third parties before
accepting personal information
from third-party data sources.
Ref.
4.2.4
Collection Criteria
Information Developed about
Individuals
Individuals are informed if the entity
develops or acquires additional
information about them for its use.
Additional Considerations
Copyright 2009 by
American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants.
All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of
professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting
permission to make copies of any part of this work, please visit www.copyright.com or call (978) 750-8400.
5.1
5.1.0
5.1.1
Additional Considerations
The entity limits the use of personal information to the purposes identified in the notice and for which the
individual has provided implicit or explicit consent. The entity retains personal information for only as long as
necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately
disposes of such information.
Policies and Communications
Privacy Policies
The entitys privacy policies address
the use, retention, and disposal of
personal information.
Communication to Individuals
Individuals are informed that personal
information is (a) used only for the
purposes identified in the notice and
only if the individual has provided
implicit or explicit consent, unless a
law or regulation specifically requires
otherwise, (b) retained for no longer
than necessary to fulfill the stated
purposes, or for a period specifically
required by law or regulation, and (c)
disposed of in a manner that prevents
loss, theft, misuse, or unauthorized
access.
Ref.
Additional Considerations
5.2.2
The entity
documents its retention policies
and disposal procedures.
retains, stores, and disposes of
archived and backup copies of
records in accordance with its
retention policies.
ensures personal information is
not kept beyond the standard
retention time unless a justified
business or legal reason for
doing so exists.
Ref.
5.2.3
Additional Considerations
The entity
erases or destroys records in
accordance with the retention
policies, regardless of the
method of storage (for example,
electronic, optical media, or
paper based).
disposes of original, archived,
backup and ad hoc or personal
copies of records in accordance
with its destruction policies.
documents the disposal of
personal information.
within the limits of technology,
locates and removes or redacts
specified personal information
about an individual as required,
for example, removing credit
card numbers after the
transaction is complete.
regularly and systematically
destroys, erases, or makes
anonymous personal information
no longer required to fulfill the
identified purposes or as
required by laws and regulations.
Ref.
Additional Considerations
Copyright 2009 by
American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants.
All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of
professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting
permission to make copies of any part of this work, please visit www.copyright.com or call (978) 750-8400.
Access
Ref.
Access Criteria
Additional Considerations
6.0
6.1
6.1.0
The entity provides individuals with access to their personal information for review and update.
Policies and Communications
Privacy Policies
The entitys privacy policies address
providing individuals with access to
their personal information.
6.1.1
Communication to Individuals
Individuals are informed about how
they may obtain access to their
personal information to review,
update, and correct that information.
6.2
6.2.1
Ref.
Access Criteria
6.2.2
Confirmation of an Individuals
Identity
The identity of individuals who
request access to their personal
information is authenticated before
they are given access to that
information.
Additional Considerations
Ref.
Access Criteria
Additional Considerations
Understandable Personal
Information, Time Frame, and
Cost
Personal information is provided to
the individual in an understandable
form, in a reasonable timeframe, and
at a reasonable cost, if any.
The entity
provides personal information to
the individual in a format that is
understandable (for example,
not in code, not in a series of
numbers, not in overly technical
language or other jargon), and in
a form convenient to both the
individual and the entity.
makes a reasonable effort to
locate the personal information
requested and, if personal
information cannot be found,
keeps sufficient records to
demonstrate that a reasonable
search was made.
takes reasonable precautions to
ensure that personal information
released does not identify
another person, directly or
indirectly.
provides access to personal
information in a timeframe that
is similar to the entitys normal
response times for other
business transactions, or as
permitted or required by law.
provides access to personal
information in archived or
backup systems and media.
informs individuals of the cost of
access at the time the access
request is made or as soon as
practicable thereafter.
Ref.
Access Criteria
Additional Considerations
6.2.4
Denial of Access
Individuals are informed, in writing,
of the reason a request for access to
their personal information was
denied, the source of the entitys
legal right to deny such access, if
applicable, and the individuals right,
if any, to challenge such denial, as
specifically permitted or required by
law or regulation.
The entity
outlines the reasons why access
to personal information may be
denied.
records all denials of access and
unresolved complaints and
disputes.
provides the individual with
partial access in situations in
which access to some of his or
her personal information is
justifiably denied.
provides the individual with a
written explanation about why
access to personal information is
denied.
provides a formal escalation
(appeal) process if access to
personal information is denied.
conveys the entitys legal rights
and the individuals right to
challenge, if applicable.
6.2.5
The entity
describes the process an
individual must follow to update
or correct personal information
Ref.
Access Criteria
the entity. If practical and
economically feasible to do so, the
entity provides such updated or
corrected information to third parties
that previously were provided with
the individuals personal information.
6.2.6
Statement of Disagreement
Individuals are informed, in writing,
about the reason a request for
correction of personal information
was denied, and how they may
appeal.
Additional Considerations
bound to cease further processing.
Ref.
Access Criteria
Additional Considerations
challenge is communicated to third
parties having access to the
information in question.
Copyright 2009 by
American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants.
All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of
professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting
permission to make copies of any part of this work, please visit www.copyright.com or call (978) 750-8400.
Additional Considerations
The entity discloses personal information to third parties only for the purposes identified in the notice and
with the implicit or explicit consent of the individual.
Policies and Communications
Privacy Policies
The entitys privacy policies address
the disclosure of personal information
to third parties.
7.1.1
Communication to Individuals
Individuals are informed that personal
information is disclosed to third
parties only for the purposes
identified in the notice and for which
the individual has provided implicit or
explicit consent unless a law or
regulation specifically allows or
requires otherwise.
7.1.2
Ref.
Additional Considerations
7.2.2
Protection of Personal
Information
Personal information is disclosed only
to third parties who have agreements
with the entity to protect personal
information in a manner consistent
with the relevant aspects of the
entitys privacy policies or other
specific instructions or requirements.
The entity has procedures in place to
evaluate that the third parties have
effective controls to meet the terms
Ref.
Additional Considerations
Ref.
Additional Considerations
agencies.
in another country and may be
subject to other requirements.
Ref.
7.2.4
The entity
reviews complaints to identify
indications of any misuse of
personal information by third
parties.
responds to any knowledge of a
third party using or disclosing
personal information in variance
with the entitys privacy policies
and procedures or contractual
arrangements.
mitigates, to the extent
practicable, any harm caused by
the use or disclosure of personal
information by the third party in
violation of the entitys privacy
policies and procedures (for
example, notify individuals
affected, attempt to recover
information disclosed to others,
void affected numbers and
reissue new numbers).
takes remedial action in the
event that a third party misuses
personal information (for
example, contractual clauses
address the ramification of
misuse of personal information).
Additional Considerations
Copyright 2009 by
American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants.
All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of
professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting
permission to make copies of any part of this work, please visit www.copyright.com or call (978) 750-8400.
8.0
8.1
8.1.0
8.1.1
Communication to Individuals
Individuals are informed that
precautions are taken to protect
personal information.
Additional Considerations
physical and logical).
Personal information in any location
under control of the entity or deemed
to be under control of the entity must
be protected.
Ref.
8.2
8.2.1
Additional Considerations
1 These areas are drawn from ISO/IEC 27002:2005, Information technologySecurity techniquesCode of practice for information security management.
Permission is granted by the American National Standards Institute (ANSI) on behalf of the International Organization for Standardization (ISO). Copies of ISO/IEC
27002 can be purchased from ANSI in the United States at http://webstore.ansi.org/ and in Canada from the Standards Council of Canada at
www.standardsstore.ca/eSpecs/index.jsp. It is not necessary to meet all of the criteria of ISO/IEC 27002:2005 to satisfy Generally Accepted Privacy Principles
criterion 8.2.1. The references associated with each area indicate the most relevant Generally Accepted Privacy Principles criteria for this purpose.
Ref.
and 10]
i.
j.
l.
Additional Considerations
providers.
requiring service
providers by contract to
implement and maintain
appropriate safeguards
for the personal
information at issue.
Ref.
Additional Considerations
Ref.
8.2.2
Additional Considerations
Ref.
Additional Considerations
8.2.3
8.2.4
Environmental Safeguards
Personal information, in all forms, is
protected against accidental
disclosure due to natural disasters
and environmental hazards.
Ref.
Additional Considerations
accidental disclosure.
Ref.
Additional Considerations
personal information may not be
encrypted.
8.2.6
Ref.
Additional Considerations
personal information.
Upon termination of employees or
contractors, procedures provide for
the return or destruction of portable
media and devices used to access and
store personal information, and of
printed and other copies of such
information.
8.2.7
Ref.
Additional Considerations
Copyright 2009 by
American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants.
All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of
professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting
permission to make copies of any part of this work, please visit www.copyright.com or call (978) 750-8400.
Quality
Ref.
9.0
9.1
9.1.0
Quality Criteria
Additional Consideration
The entity maintains accurate, complete, and relevant personal information for the purposes identified in the
notice.
Policies and Communications
Privacy Policies
The entitys privacy policies address
the quality of personal information.
9.1.1
Communication to Individuals
Individuals are informed that they are
responsible for providing the entity
with accurate and complete personal
information, and for contacting the
entity if correction of such information
is required.
9.2
9.2.1
Ref.
Quality Criteria
reconfirmation of information
held and methods for individuals
to proactively update personal
information).
indicate how to verify the
accuracy and completeness of
personal information obtained
directly from an individual,
received from a third party (see
4.2.3, Collection From Third
Parties), or disclosed to a third
party (see 7.2.2, Protection of
Personal Information).
ensure personal information used
on an ongoing basis is
sufficiently accurate and
complete to make decisions,
unless clear limits exist for the
need for accuracy.
ensure personal information is
not routinely updated unless
such a process is necessary to
fulfill the purposes for which it is
to be used.
Relevance of Personal
Information
Personal information is relevant to
the purposes for which it is to be
Additional Consideration
Ref.
Quality Criteria
used.
Additional Consideration
Copyright 2009 by
American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants.
All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of
professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting
permission to make copies of any part of this work, please visit www.copyright.com or call (978) 750-8400.
Additional Considerations
The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy
related inquiries, complaints and disputes.
Policies and Communications
Privacy Policies
The entitys privacy policies address
the monitoring and enforcement of
privacy policies and procedures.
10.1.1
Communication to Individuals
Individuals are informed about how to
contact the entity with inquiries,
complaints and disputes.
10.2
10.2.1
Ref.
10.2.2
Additional Considerations
Ref.
Additional Considerations
management.
identify trends and the potential
need to change the entitys
privacy policies and procedures.
use specified independent thirdparty dispute resolution services
or other processes mandated by
regulatory bodies in the event
the individual is not satisfied with
the entity's proposed resolution,
together with a commitment
from such third parties to handle
such recourses.
Compliance Review
Compliance with privacy policies and
procedures, commitments and
applicable laws, regulations, servicelevel agreements, and other contracts
is reviewed and documented, and the
results of such reviews are reported
to management. If problems are
identified, remediation plans are
developed and implemented.
Ref.
10.2.4
Instances of Noncompliance
Instances of noncompliance with
privacy policies and procedures are
documented and reported and, if
needed, corrective and disciplinary
measures are taken on a timely basis.
Additional Considerations
Ref.
10.2.5
Ongoing Monitoring
Ongoing procedures are performed
for monitoring the effectiveness of
controls over personal information,
based on a risk assessment [1.2.4],
and for taking timely corrective
actions where necessary.
The
Additional Considerations
Ref.
Additional Considerations
Ref.
Additional Considerations
supervisor actions.
Policies state that confirmation of
a privacy-related complaint is
provided to the complainant
within 72 hours, and if not
resolved within 10 working days,
then the issue is escalated to the
CPO. The control is a log used to
record privacy complaints,
including complaint date, and
subsequent activities through to
resolution. The monitoring
activity is the monthly review of
such logs for consistency with
this policy.
Copyright 2009 by
American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants.
All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of
professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting
permission to make copies of any part of this work, please visit www.copyright.com or call (978) 750-8400.